The wait is the hardest part —

Blizzard delays Diablo III real-money auctions indefinitely

The company also responds to concerns over account hacking.

Those of you hoping to quit your jobs and make a living selling your Diablo III loot for real money will have to keep flipping burgers a little while longer as Blizzard has announced the game's much-discussed real-money auction house has moved "outside the previously estimated May timeframe."

The real-money auction service was originally planned to launch a week after the game's May 15 release, but the rollout was briefly pushed back to a planned May 29 before this latest delay. Blizzard now says that it "need[s] a bit more time to iron out the existing general stability and gameplay issues" in order to "ensure everyone has the smoothest experience possible" with the service. While the company didn't suggest a new date for the launch, it did promise to have "more information soon."

Meanwhile, many Diablo III forum users have been complaining loudly about hackers breaking into their accounts and stealing accumulated items and gold, a problem that would seem crucial to fix before those items start having a real-world value through the auction house. Blizzard officially responded to these reports today, stressing that its servers have not been compromised. The "extremely small" number of complaints that Blizzard has received about compromised accounts have all boiled down to traditional password-stealing methods, the company said, despite rumors of "session spoofing" and other esoteric attacks.

Latest Ars Video >

War Stories | Thief: The Dark Project

1998's Thief: The Dark Project was a pioneer for the stealth genre, utilizing light and shadow as essential gameplay mechanics. The very thing that Thief became so well-known for was also the game's biggest development hurdle. Looking Glass Studios founder Paul Neurath recounts the difficulties creating Thief: The Dark Project, and how its AI systems had to be completely rewritten years into development.

War Stories | Thief: The Dark Project

War Stories | Thief: The Dark Project

1998's Thief: The Dark Project was a pioneer for the stealth genre, utilizing light and shadow as essential gameplay mechanics. The very thing that Thief became so well-known for was also the game's biggest development hurdle. Looking Glass Studios founder Paul Neurath recounts the difficulties creating Thief: The Dark Project, and how its AI systems had to be completely rewritten years into development.

Kyle Orland
Kyle is the Senior Gaming Editor at Ars Technica, specializing in video game hardware and software. He has journalism and computer science degrees from University of Maryland. He is based in the Washington, DC area. Emailkyle.orland@arstechnica.com//Twitter@KyleOrl

143 Reader Comments

There's certainly enough evidence to show that this goes beyond your average phishing, keylogging and brute-force attempts. A common theme from posters on the forums is: Only one character was cleared out, no characters were deleted, no other accounts were compromised, account was not stolen.

None of the usual methods accounts for this, so you either have a large amount of slightly benevolent scammers creating a noticeable pattern, or only singular characters can be accessed.

Anything involving total account wipes can be assumed to be standard scams.

not sure if you have used an authenticator recently but once you log in they don't usually ask for it again until several days later. Assuming they just flag the ip address with a successful login as trusted so they don't bother you again till later.

That is an option that you can turn off in the battle.net account website, IIRC it says "ask for authentication every game launch" and "ask for auth every several days"

Idiots are giving out their Battle.net password to phishing E-mails, or they previously had given out their battle.net password to friends to play their WoW account. Cite Charles Darwin, move along.

But I really thing it's the latter of the 2. About half the people I knew who played WoW let at least 1 friend play on their account. Some accounts I know of were shared by many.

There's also a LOT of sketchy Diablo 3 websites out there right now. My antivirus gives me a warning for close to half of the Diablo 3 Wikis. And if I click "Continue anyway" and end up with a keylogger, that's MY fault. Not Blizzard's.

Blizzard can only control their end of the field, and they have done everything they can, and more- with the Authenticator. There's really nothing more that Blizzard can ask for other than Biometrics. The "Hacks" are not occurring server side.

Edit: OR they used their BNet E-mail/PAssword for an unsavory site. This is also a big one. A long long time ago I used a universal E-mail/Password and saw my BNet account accessed. (Oddly enough, nothing went missing....) But once I created a new E-mail exclusively for my Battlenet related stuff, and a password unique to that login, nothing. And it makes sense. Universal Usernames/Passwords are bad.

When Rift came out there were tons of hacking reports, along with holier than thou idiots insisting in all cases it was the users fault. Turns out there was a bug that allowed login to be bypassed altogether, allowing access to anyone's account. And 99% of said outspoken idiots slunk off without apologizing when the news came out.

If you don't know how other people got hacked, (and you don't!), keep your pie hole shut.

I swear to god the next person who complains about case-insensitivity gets a boot to the head.

It doesn't matter. Anyone saying it's a big deal does not understand computer security. Making a longer password is always better than making a case-sensitive password. Case sensitivity only matters when your password is being brute forced, and doing that would require someone to have direct access to Blizz's database. And even in that case, it would have negligible impact. By making your password just a little bit longer you make it much more secure than you would by making it case sensitive. The ra

Everyone has been trained on password security wrong. XKCD did a comic on this (http://xkcd.com/936/). Everyone complaining about how it's such a newbie mistake to not be case sensitive is just trying to play armchair security expert by regurgitating wrong information.

Most passwords are not hacked by brute force. Most of them come from people who are stupid with their passwords and give them out to people inadvertently, or who sign up for services using the same password and one of those services is not secure or fraudulent. That's how passwords get stolen, and when that happens it doesn't matter if your password is case sensitive.

Just use a keyfob like every serious wow player has done for the last 4 years.

And no, it isn't blizzards fault you installed an adobe product on your computer and got hacked. They practically give way those keyfobs for a reason.

*Back when I played WoW in the manner of an addict there were several hundred thousand hacks that were traced back to adobe flash player installing key loggers when you viewed a flash ad. Back then Blizzard was giving away keyfobs, and I received mine for free.

Just use a keyfob like every serious wow player has done for the last 4 years.

And no, it isn't blizzards fault you installed an adobe product on your computer and got hacked. They practically give way those keyfobs for a reason.

*Back when I played WoW in the manner of an addict there were several hundred thousand hacks that were traced back to adobe flash player installing key loggers when you viewed a flash ad. Back then Blizzard was giving away keyfobs, and I received mine for free.

I paid $5 with a buy-one-get-one-free deal. Shipping was free and I received it in 3 days. My wife and I have been using authenticators for years now.

But yes, I remember WoW ad hacks from legit sites. I guess these ad hacker people were more willing to key log for Battle.Net accounts and leave your bank account because the government didn't care to investigate those kinds of hacks.

I always wodnered how so many people got their user/pass key-logged but didn't get their CC# stolen. The hackers knew it wasn't worth going after CC#s and getting the government after them.

I really agree on the saving, although that's why I just got the authenticator thingy on my phone, less logins required. If it's saved it offers no real security though, anyone at your computer can quickly log into your account and transfer all your goods. I would really find a better system though, you seem to dislike anything that creates actual security. Password managers are great for that.

I am all for security, but having to write down names and passwords and either store them on a computer or next to the computer is also a security risk in of itself. All it would take was someone breaking into my house while I was away, stealing the computer then happening to spot the list. I’d be screwed and I wouldn’t even have a record left of my own unless I created multiple copies. There’s a point where it’s no longer called security, it’s called insanity.

robrob wrote:

But you do need to use different passwords, end of story. Some other site you go to let your regular password slip free into the wild, because they generally have bad security. If you're going to reuse a password, think about whether you actually care if that account is breached (before moving to a password manager I often used the same one for forums, because I don't really care if it's hacked).

I would agree. I employ differing levels of passwords depending on the nature of the website and if it’s tied to anything financial or important in nature. Beyond that it doesn’t matter how reputable or not of a website it is in question. Because if you recall, this very website had its forum accounts breached in 2010 and the entire email database compromised at the minimum. I’ve received literally a half-dozen breached account warnings for other forums within as many years, from Square Enix just being the last one I recall.

robrob wrote:

What support do you want? Passwords are as strong as the password is, Blizzard can't do anything about you not using their authenticator and not coming up with something secure.Plus the support isn't bad for a week after a huge launch. All reports I've heard are less than an hour on the phone, I've spent longer than that on hold at work (and I get billed out at well over $65 an hour)

Then you are sorely mistaken. This last week hold times were 60-70 minutes every single day, BEFORE you talk to a live person. I should know because I’ve been trying to get SOME support regarding my hacked account all week, and reading up on other people that did call as well.

What I WANT is actual support! I created a support ticket 12pm Tuesday, and never received a reply to date. Since a rollback will erase anything I do, I cannot use the account until I get it resolved. I got so fed up waiting I spent literally about 70 minutes on hold just to talk to someone, and actually seemed to get things sorted out. Yet it’s been two more days SINCE that phone call and still my account has not been rolled back as it was supposed to be. If you consider it normal to require a week without getting a single reply on a support ticket (even after spending 90 minutes on the phone with their support department to hurry things along), then I’d honestly hate to see your work.

I paid $65 for a game that provides worse support than cheap $5 Indie titles on Steam, and the game itself did little to justify its cost. And that’s before factoring in buying an authenticator, since I don’t use a smartphone.

Thankfully, Blizzard does provide a phone number for refunds, and I shall be making use of it come Monday if I still haven’t heard anything by the end of that business day. I’m irate enough about the condition of the game during launch, the random kicking from the server induced by the always-on connection, and the poor support that I may not even wait. I have a very strong urge to just stick it to them.

robrob wrote:

If your password wasn't strong enough that it could handle a brute force attack then it's not a good enough password. Most systems do not have good security for crap passwords, with very few exceptions (PINs being the main one) for a simple reason, all someone needs is your username and they could lock you out of your own account via firing off enough random passwords.

So you are saying if a RANDOM nine character alphanumeric password can be brute forced, we should blame ourselves instead of Blizzard? I’m sorry but there’s plenty of fail-safes Blizzard can use to prevent such a thing from ever occurring. Implying it is normal to expect otherwise goes beyond mere insanity.

Wow. Just wow. 3 Bliz posts (one was deleted) and they are all posts of the year.

Vasadan wrote:

This is actually consistent with all of our Blizzard games. Try it in WoW and SC2

Said like its a good thing! I literally facepalmed myself reading this.

Vasadan wrote:

Please leave discussions like this to the General Discussion forums. I'm not going to keep posting on threads if my answer to someone's bug report is a huge discussion about something that isn't a bug.

While not technically a bug its such a lapse in security there is a bug in their security programers brains for letting something like this happen.

That or it is because Bliz is to damned lazy to deal with all the calls from people who can't get into their accounts because they put in a upper case letter. That's it! Bow to the lowest common denominator when you now have REAL MONEY trading hands. That is if that AH ever comes online.

Blizzard has ignored problems with their customers' accounts getting hacked for YEARS and has totally ignored the issue. I don't even play WOW and I get emails all the time saying that my WOW account has been compromised, etc. All this because I chose to buy Starcraft 2 and was forced to start a Battlenet account just to play the game at all. How hard is it to put in an Authenticator like some of the other games/MMO's have used? Blizzard's constant money-grubbing attitude toward their customers is appalling. Glad I didn't waste my time with Diablo 3. . . I spent $20 and pre-ordered Torchlight 2 and it's looking like more and more of a good decision the more I read about the Diablo 3 experiences everyone else has been having. If I had spent $60 on this game and then gone through the log-on error message issues, the nerfing of a single-play campaign (Why???), and then not following through on the auction house that was promised before release, I'd be really, REALLY annoyed. Sounds like some of you guys might want to look into the potential for a class action lawsuit to get your money back. . . (Just sayin'.)

Another point: Blizzard, how do you release a game that you've supposedly been working on for as long as they have with Diablo 3 with as this many unresolved problems? You honestly go through the entire Beta process and still can't get your ducks-in-a-row as far as the auction house they was announced months ago? Seriously???

again how are we blaming the game maker when players are the target vector for account compromises?!?! the reason you get email about your compromised account, is because EVERYONE gets them, even my partner gets them, doesn't even play video games....the rest of the drivel you are going on about is barely even registers as coherent.

Wow. Just wow. 3 Bliz posts (one was deleted) and they are all posts of the year.

Vasadan wrote:

This is actually consistent with all of our Blizzard games. Try it in WoW and SC2

Said like its a good thing! I literally facepalmed myself reading this.

Vasadan wrote:

Please leave discussions like this to the General Discussion forums. I'm not going to keep posting on threads if my answer to someone's bug report is a huge discussion about something that isn't a bug.

While not technically a bug its such a lapse in security there is a bug in their security programers brains for letting something like this happen.

That or it is because Bliz is to damned lazy to deal with all the calls from people who can't get into their accounts because they put in a upper case letter. That's it! Bow to the lowest common denominator when you now have REAL MONEY trading hands. That is if that AH ever comes online.

you clearly have no idea what your are talking about, thanks for playing...again no one is brute forcing bnet passwords with rainbow tables....these people got exploited, try and not make an ass of yourself when the only argument you have for computer security are piss poor Ad SEC guidelines that involve the bit length difference of 5.17 and 6.5 bits... to create a truly secure pass bit length would require 95 characters, the entire ACSII table and a 14 digit randomly generated password...very few consumers are really going to randomly generated a 14 digit pass for each and every account they have...so we have 2 factor pass to fill in the gaps

I'm still scratching my head over this. According to Blizzard.net, these are the password requirements: Your password must be between 8–16 characters in length.Your password may only contain alphabetic characters (A–Z), numeric characters (0–9), and punctuation.Your password must contain at least one alphabetic character and one numeric character.You cannot enter your account name as your password.

Yet, I see online message boards which allow longer passwords and also allow for a wider range of characters.

It isn't that hard to implement long, secure passwords into a database. You simply convert the password into a salted SHA1,SHA2, MD5, or similar hash. As long as it is salted with something unique with the account, they are incredibly hard to reverse engineer. yet take up 128 or less characters in the database. MD5 and SHA1 hashes are also used to verify a downloaded file.

"Blizzard officially responded to these reports today, stressing that its servers have not been compromised. The "extremely small" number of complaints that Blizzard has received about compromised accounts have all boiled down to traditional password-stealing methods"

...is a blatant lie, I have several friends that have both a strong password and an authenticator that have been hacked, the only way to do this is with a session hijack... I still refuse to buy this game because of it's forced connection requirement and the unacceptable number of bugs and nerfs.

My WoW got hacked back in the day with a semi secure password too. Ever since then I'd had an authenticator attached, yeah it's really annoying to have to pull your mobile out of your pocket to log into the battle.net forums but at least my loot is safe

My WoW got hacked back in the day with a semi secure password too. Ever since then I'd had an authenticator attached, yeah it's really annoying to have to pull your mobile out of your pocket to log into the battle.net forums but at least my loot is safe

I took 6 months off from WoW and came back to a hacked account. All loot and gear sold and empty of gold. this was after retrieving it from a banned status for gold selling. Blizzard managed to return most of my gear and cash but I lost a couple set pieces from old world that can no longer be obtained.

That account had an authenticator. i am not sure how in the world they got into my account. Noone has my login detail either.

not sure if you have used an authenticator recently but once you log in they don't usually ask for it again until several days later. Assuming they just flag the ip address with a successful login as trusted so they don't bother you again till later.

More likely, the authentication process sets up a session ID (similar to how web authentication is remembered by reference to a cookie value) stored on your PC hard drive. Using an IP would be inherently insecure since it can never be trusted to uniquely identify an individual or an individual machine.